分类: 网络与安全
2011-11-27 17:26:18
One common application of client side PKI certificates is 802.1x network authentication using EAP/TLS to present the client's identity to the server. Unlike many other EAP types, EAP/TLS does not transmit a password from the supplicant to the server, which is better network security.
This page explains how to build the FreeRadius server (v1.0.4 was
current at the time) and configure it to be used for 802.1x network
authentication and EAP/TLS.
This procedure should work for servers running most Linux distributions. The machine we used for testing had RedHat version 9 installed. 802.1x authentication worked using clients on Windows XP, Mac OS X and Linux.
Cisco and Aruba wireless access points were used in the network.
Note that FreeRadius requires OpenSSL 0.9.7 or later. If the base system needs to be upgraded, It's easiest do that first. The FreeRadius documentation suggests that it is possible to build another copy of OpenSSL for FreeRadius when a system upgrade isn't possible. We did not use that technique.
The rlm_eap_tls module was improved after version 0.9.2 which had
not worked with the supplicant in Windows XP. Versions starting with
1.0.2 of FreeRadius did work successfully.
Expand the tar file in /usr/local/src/freeradius (you'll need root privileges to work there).
Build freeradius as follows:
[Note:the configure switch is needed because of the unusual location of the kerberos include files on Red Hat Linux. Kerberos is referenced by openssl, which is referenced by rlm_eap_tls. If configure doesn't find kerberos (which includes openssl/ssl.h) it skips building rlm_eap_tls. This switch should not be necessary if kerberos is in the usual location]
The binaries and libraries are installed in /usr/local by default.
To build FreeRadius in another directory eg. "usrrad/local/", set the prefix option when running "configure":
The configuration files are by default at: /usr/local/etc/raddb/
The main config file is radiusd.conf. No modifications to it are needed.
To configure the RADIUS server to use EAP-TLS authentication, modify "eap.conf" as follows:
The "clients.conf" file tells the RADIUS server what NAS are allowed to contact the RADIUS server. There are default entries commented out to use as a guide. For example you could set it to expect connections from NAS in the local IP range x.y.0.0/16. You need to provide a secret that the RADIUS server and the NAS share. You need to set up the access point to use this secret.
The "users" file includes the user accounts. Since with EAP-TLS, we don't need to know the name of the supplicant, a DEFAULT entry that catches everyone is added:
This example entry expects users to use EAP, and sets the tunneling RADIUS attributes that puts the user onto VLAN 1. The values for Tunnel-Type and Tunnel-Medium-Type mean that we are using VLANs, where the Tunnel-Private-Group-Id is the VLAN ID #.
Create the /usr/local/radius/certs directory and copy the root cert and the server cert requested for the radius server there.
Dartmouth College PKI Lab
Written by: Robert Brentrup
Last update: 23 August 2005
